android_kernel_asus_sm8350

Author	SHA1	Message	Date
Hridya Valsaraju	31aa7f2be2	FROMLIST: security: selinux: allow per-file labelling for binderfs This patch allows genfscon per-file labeling for binderfs. This is required to have separate permissions to allow access to binder, hwbinder and vndbinder devices which are relocating to binderfs. Acked-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Mark Salyzyn <salyzyn@android.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Hridya Valsaraju <hridya@google.com> Bug: 136497735 (cherry picked from commit 7a4b51947475a7f67e2bd06c4a4c768e2e64a975 git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git master) Link: https://lore.kernel.org/patchwork/patch/1175776/ Change-Id: I105cc54b30ddd4120dc23a363bddc2f9d00e4dc4	2020-01-23 22:38:12 +00:00
Jeff Vander Stoep	020b443d55	Revert "ANDROID: security,perf: Allow further restriction of perf_event_open" Unfork Android. This reverts commit `5dbd8df7b3`. Perf_event_paranoid=3 is no longer needed on Android. Access control of perf events is now done by selinux. See: https://patchwork.kernel.org/patch/11185793/ IGNORE_MERGE_CONFLICT_CHECK==kernel.rst documentation uses "====". Bug: 120445712 Bug: 137092007 Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Change-Id: Iba493424174b30baff460caaa25a54a472c87bd4	2020-01-23 22:02:32 +00:00
Jeff Vander Stoep	dc34c9f193	ANDROID: selinux: modify RTM_GETLINK permission Map the permission gating RTM_GETLINK messages to a new permission so that it can be distinguished from the other netlink route permissions in selinux policy. This is a temporary Android-only patch that will be deprecated in newer kernels once the long-term solution lands as discusssed on the mailing list [1]. The maintainer's recommended solution is more general, much more complex, and likely not suitable for backporting. This patch provides the minimal change needed for Android including the userspace settable trigger which ensures that the permission change is only applied to the newest version of Android which contains the changes needed for userpace compatibility. [1]: https://lore.kernel.org/selinux/20200116142653.61738-1-jeffv@google.com/ Bug: 141455849 Bug: 148218425 Test: CtsSelinuxTargetSdkCurrentTestCases Test: atest bionic-unit-tests-static Test: atest NetworkInterfaceTest Test: Connect to Wi-Fi network Test: Set up hotspot Test: Cast from device Test: Pair Bluetooth device Test: Call getifaddrs() directly from within an app. Test: Call NetworkInterface#getNetworkInterfaces() from within an app. Change-Id: I7b44ce60ad98f858c412722d41b9842f8577151f Signed-off-by: Jeff Vander Stoep <jeffv@google.com>	2020-01-23 20:13:53 +00:00
Greg Kroah-Hartman	b0b02162a4	This is the 5.4.13 stable release -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4iAaQACgkQONu9yGCS aT5vIg/+Lj4wdF3UuUWonHdWBhnfG2FKCWFTYJKPpFXFRMltAa27XKns/CvR8CBW 9ztOH928CR8K9BS7HbfGtsgOEOVzILb4+akco5UhrTH93dc2T6RwSDiMpaULgeIF x/n834yNlsHs1NSmjjuimBe1j4NcZwPnnNVGKmFojkv04QPsFjP6HCp7PR2/PMXP CVO5JBXqMYtMRprY0xkpAGCStqVZPF6uwfTPrKRgaOCTpkKsqBEFJbwqOoqGQWou fQPOmEFjw+e9rIKzJgou6k4YGrWITcpNnUMdxavCszcQFTeUnY1vpLTiVxyZC1E3 R+7ulfe+/zoQvWIer9H85ySLuOjSmmXb5CM9Fc0WLSsvKmTKfUNe/g5Cce+rngPY x/+tIBvXgFSoGR4oO5dEHhXn9Hzqr0OHbZy1dLKY1RU4NzxLsAtR2DH4ps25I4ux Ty2P0kYwm5Sz43MspnFAPTaU5kC3qHVNMjanbb5I7xGF2m0HZmh0zRHBC50DqP4Y nmLUklpX4EGVAYGb94YZMa3ugksSvie2SLgk838UQG+lGqaQoxAyAeRmDdyR1zE7 GHlkNxWj8cbkBsPDSYt6Wvrt+7+e8Bbk5Y/fM5+j02h6ehs9wqOaQ985CfvrrYix RyGc7pWt1FPL7Kqv/CtbDieglS/P0BMPPGYX2rfidk6i+0knWaE= =53PP -----END PGP SIGNATURE----- Merge 5.4.13 into android-5.4 Changes in 5.4.13 HID: hidraw, uhid: Always report EPOLLOUT rtc: mt6397: fix alarm register overwrite phy: mapphone-mdm6600: Fix uninitialized status value regression RDMA/bnxt_re: Avoid freeing MR resources if dereg fails RDMA/bnxt_re: Fix Send Work Entry state check while polling completions IB/hfi1: Don't cancel unused work item mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus i2c: bcm2835: Store pointer to bus clock ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev ASoC: soc-core: Set dpcm_playback / dpcm_capture ASoC: stm32: spdifrx: fix inconsistent lock state ASoC: stm32: spdifrx: fix race condition in irq handler ASoC: stm32: spdifrx: fix input pin state management pinctrl: lochnagar: select GPIOLIB netfilter: nft_flow_offload: fix underflow in flowtable reference counter ASoC: SOF: imx8: Fix dsp_box offset mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy gpio: zynq: Fix for bug in zynq_gpio_restore_context API pinctrl: meson: Fix wrong shift value when get drive-strength selftests: loopback.sh: skip this test if the driver does not support iommu/vt-d: Unlink device if failed to add to group iommu: Remove device link to group on failure bpf: cgroup: prevent out-of-order release of cgroup bpf fs: move guard_bio_eod() after bio_set_op_attrs scsi: mpt3sas: Fix double free in attach error handling gpio: Fix error message on out-of-range GPIO in lookup table PM / devfreq: tegra: Add COMMON_CLK dependency PCI: amlogic: Fix probed clock names drm/tegra: Fix ordering of cleanup code hsr: add hsr root debugfs directory hsr: rename debugfs file when interface name is changed hsr: reset network header when supervision frame is created s390/qeth: fix qdio teardown after early init error s390/qeth: fix false reporting of VNIC CHAR config failure s390/qeth: Fix vnicc_is_in_use if rx_bcast not set s390/qeth: vnicc Fix init to default s390/qeth: fix initialization on old HW cifs: Adjust indentation in smb2_open_file scsi: smartpqi: Update attribute name to `driver_version` MAINTAINERS: Append missed file to the database ath9k: use iowrite32 over __raw_writel can: j1939: fix address claim code example dt-bindings: reset: Fix brcmstb-reset example reset: brcmstb: Remove resource checks afs: Fix missing cell comparison in afs_test_super() perf vendor events s390: Remove name from L1D_RO_EXCL_WRITES description syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0 syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn syscalls/x86: Use the correct function type for sys_ni_syscall syscalls/x86: Fix function types in COND_SYSCALL hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename() btrfs: simplify inode locking for RWF_NOWAIT netfilter: nf_tables_offload: release flow_rule on error from commit path netfilter: nft_meta: use 64-bit time arithmetic ASoC: dt-bindings: mt8183: add missing update ASoC: simple_card_utils.h: Add missing include ASoC: fsl_esai: Add spin lock to protect reset, stop and start ASoC: SOF: Intel: Broadwell: clarify mutual exclusion with legacy driver ASoC: core: Fix compile warning with CONFIG_DEBUG_FS=n ASoC: rsnd: fix DALIGN register for SSIU RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size() RDMA/hns: remove a redundant le16_to_cpu RDMA/hns: Modify return value of restrack functions RDMA/counter: Prevent QP counter manual binding in auto mode RDMA/siw: Fix port number endianness in a debug message RDMA/hns: Fix build error again RDMA/hns: Release qp resources when failed to destroy qp xprtrdma: Add unique trace points for posting Local Invalidate WRs xprtrdma: Connection becomes unstable after a reconnect xprtrdma: Fix MR list handling xprtrdma: Close window between waking RPC senders and posting Receives RDMA/hns: Fix to support 64K page for srq RDMA/hns: Bugfix for qpc/cqc timer configuration rdma: Remove nes ABI header RDMA/mlx5: Return proper error value RDMA/srpt: Report the SCSI residual to the initiator uaccess: Add non-pagefault user-space write function bpf: Make use of probe_user_write in probe write helper bpf: skmsg, fix potential psock NULL pointer dereference bpf: Support pre-2.25-binutils objcopy for vmlinux BTF libbpf: Fix Makefile' libbpf symbol mismatch diagnostic afs: Fix use-after-loss-of-ref afs: Fix afs_lookup() to not clobber the version on a new dentry keys: Fix request_key() cache scsi: enclosure: Fix stale device oops with hot replug scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI platform/mellanox: fix potential deadlock in the tmfifo driver platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 platform/x86: GPD pocket fan: Use default values when wrong modparams are given asm-generic/nds32: don't redefine cacheflush primitives Documentation/ABI: Fix documentation inconsistency for mlxreg-io sysfs interfaces Documentation/ABI: Add missed attribute for mlxreg-io sysfs interfaces xprtrdma: Fix create_qp crash on device unload xprtrdma: Fix completion wait during device removal xprtrdma: Fix oops in Receive handler after device removal dm: add dm-clone to the documentation index scsi: ufs: Give an unique ID to each ufs-bsg crypto: cavium/nitrox - fix firmware assignment to AE cores crypto: hisilicon - select NEED_SG_DMA_LENGTH in qm Kconfig crypto: arm64/aes-neonbs - add return value of skcipher_walk_done() in __xts_crypt() crypto: virtio - implement missing support for output IVs crypto: algif_skcipher - Use chunksize instead of blocksize crypto: geode-aes - convert to skcipher API and make thread-safe NFSv2: Fix a typo in encode_sattr() nfsd: Fix cld_net->cn_tfm initialization nfsd: v4 support requires CRYPTO_SHA256 NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process() NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn iio: imu: st_lsm6dsx: fix gyro gain definitions for LSM9DS1 iio: imu: adis16480: assign bias value only if operation succeeded mei: fix modalias documentation clk: meson: axg-audio: fix regmap last register clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume clk: Fix memory leak in clk_unregister() dmaengine: dw: platform: Mark 'hclk' clock optional clk: imx: pll14xx: Fix quick switch of S/K parameter rsi: fix potential null dereference in rsi_probe() affs: fix a memory leak in affs_remount pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call pinctrl: sh-pfc: Fix PINMUX_IPSR_PHYS() to set GPSR pinctrl: sh-pfc: Do not use platform_get_irq() to count interrupts pinctrl: lewisburg: Update pin list according to v1.1v6 PCI: pciehp: Do not disable interrupt twice on suspend Revert "drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper." drm/amdgpu: cleanup creating BOs at fixed location (v2) drm/amdgpu/discovery: reserve discovery data at the top of VRAM scsi: sd: enable compat ioctls for sed-opal arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD gfs2: add compat_ioctl support af_unix: add compat_ioctl support compat_ioctl: handle SIOCOUTQNSD PCI: aardvark: Use LTSSM state to build link training flag PCI: aardvark: Fix PCI_EXP_RTCTL register configuration PCI: dwc: Fix find_next_bit() usage PCI: Fix missing bridge dma_ranges resource list cleanup PCI/PM: Clear PCIe PME Status even for legacy power management tools: PCI: Fix fd leakage PCI/PTM: Remove spurious "d" from granularity message powerpc/powernv: Disable native PCIe port management MIPS: PCI: remember nasid changed by set interrupt affinity MIPS: Loongson: Fix return value of loongson_hwmon_init MIPS: SGI-IP27: Fix crash, when CPUs are disabled via nr_cpus parameter tty: serial: imx: use the sg count from dma_map_sg tty: serial: pch_uart: correct usage of dma_unmap_sg ARM: 8943/1: Fix topology setup in case of CPU hotplug for CONFIG_SCHED_MC media: ov6650: Fix incorrect use of JPEG colorspace media: ov6650: Fix some format attributes not under control media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support media: ov6650: Fix default format not applied on device probe media: rcar-vin: Fix incorrect return statement in rvin_try_format() media: hantro: h264: Fix the frame_num wraparound case media: v4l: cadence: Fix how unsued lanes are handled in 'csi2rx_start()' media: exynos4-is: Fix recursive locking in isp_video_release() media: coda: fix deadlock between decoder picture run and start command media: cedrus: Use correct H264 8x8 scaling list media: hantro: Do not reorder H264 scaling list media: aspeed-video: Fix memory leaks in aspeed_video_probe media: hantro: Set H264 FIELDPIC_FLAG_E flag correctly iommu/mediatek: Correct the flush_iotlb_all callback iommu/mediatek: Add a new tlb_lock for tlb_flush memory: mtk-smi: Add PM suspend and resume ops Revert "ubifs: Fix memory leak bug in alloc_ubifs_info() error path" ubifs: Fixed missed le64_to_cpu() in journal ubifs: do_kill_orphans: Fix a memory leak bug spi: sprd: Fix the incorrect SPI register mtd: spi-nor: fix silent truncation in spi_nor_read() mtd: spi-nor: fix silent truncation in spi_nor_read_raw() spi: pxa2xx: Set controller->max_transfer_size in dma mode spi: atmel: fix handling of cs_change set on non-last xfer spi: rspi: Use platform_get_irq_byname_optional() for optional irqs spi: lpspi: fix memory leak in fsl_lpspi_probe iwlwifi: mvm: consider ieee80211 station max amsdu value rtlwifi: Remove unnecessary NULL check in rtl_regd_init iwlwifi: mvm: fix support for single antenna diversity sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO f2fs: fix potential overflow NFSD fixing possible null pointer derefering in copy offload rtc: msm6242: Fix reading of 10-hour digit rtc: brcmstb-waketimer: add missed clk_disable_unprepare rtc: bd70528: Add MODULE ALIAS to autoload module gpio: mpc8xxx: Add platform device to gpiochip->parent scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() scsi: target/iblock: Fix protection error with blocks greater than 512B selftests: firmware: Fix it to do root uid check and skip rseq/selftests: Turn off timeout setting riscv: export flush_icache_all to modules mips: cacheinfo: report shared CPU map mips: Fix gettimeofday() in the vdso library tomoyo: Suppress RCU warning at list_for_each_entry_rcu(). MIPS: Prevent link failure with kcov instrumentation drm/arm/mali: make malidp_mw_connector_helper_funcs static rxrpc: Unlock new call in rxrpc_new_incoming_call() rather than the caller rxrpc: Don't take call->user_mutex in rxrpc_new_incoming_call() rxrpc: Fix missing security check on incoming calls dmaengine: k3dma: Avoid null pointer traversal s390/qeth: lock the card while changing its hsuid ioat: ioat_alloc_ring() failure handling. drm/amdgpu: enable gfxoff for raven1 refresh media: intel-ipu3: Align struct ipu3_uapi_awb_fr_config_s to 32 bytes kbuild/deb-pkg: annotate libelf-dev dependency as :native hexagon: parenthesize registers in asm predicates hexagon: work around compiler crash ocfs2: call journal flush to mark journal as empty after journal recovery when mount Linux 5.4.13 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I90734cd9d80f000e05a8109a529916ae641cdede	2020-01-17 23:38:39 +01:00
Tetsuo Handa	1b32e6ea73	tomoyo: Suppress RCU warning at list_for_each_entry_rcu(). [ Upstream commit 6bd5ce6089b561f5392460bfb654dea89356ab1b ] John Garry has reported that allmodconfig kernel on arm64 causes flood of "RCU-list traversed in non-reader section!!" warning. I don't know what change caused this warning, but this warning is safe because TOMOYO uses SRCU lock instead. Let's suppress this warning by explicitly telling that the caller is holding SRCU lock. Reported-and-tested-by: John Garry <john.garry@huawei.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Sasha Levin <sashal@kernel.org>	2020-01-17 19:49:05 +01:00
Joel Fernandes (Google)	ad70668a3d	BACKPORT: perf_event: Add support for LSM and SELinux checks In current mainline, the degree of access to perf_event_open(2) system call depends on the perf_event_paranoid sysctl. This has a number of limitations: 1. The sysctl is only a single value. Many types of accesses are controlled based on the single value thus making the control very limited and coarse grained. 2. The sysctl is global, so if the sysctl is changed, then that means all processes get access to perf_event_open(2) opening the door to security issues. This patch adds LSM and SELinux access checking which will be used in Android to access perf_event_open(2) for the purposes of attaching BPF programs to tracepoints, perf profiling and other operations from userspace. These operations are intended for production systems. 5 new LSM hooks are added: 1. perf_event_open: This controls access during the perf_event_open(2) syscall itself. The hook is called from all the places that the perf_event_paranoid sysctl is checked to keep it consistent with the systctl. The hook gets passed a 'type' argument which controls CPU, kernel and tracepoint accesses (in this context, CPU, kernel and tracepoint have the same semantics as the perf_event_paranoid sysctl). Additionally, I added an 'open' type which is similar to perf_event_paranoid sysctl == 3 patch carried in Android and several other distros but was rejected in mainline [1] in 2016. 2. perf_event_alloc: This allocates a new security object for the event which stores the current SID within the event. It will be useful when the perf event's FD is passed through IPC to another process which may try to read the FD. Appropriate security checks will limit access. 3. perf_event_free: Called when the event is closed. 4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event. 5. perf_event_write: Called from the ioctl(2) syscalls for the event. [1] https://lwn.net/Articles/696240/ Since Peter had suggest LSM hooks in 2016 [1], I am adding his Suggested-by tag below. To use this patch, we set the perf_event_paranoid sysctl to -1 and then apply selinux checking as appropriate (default deny everything, and then add policy rules to give access to domains that need it). In the future we can remove the perf_event_paranoid sysctl altogether. Suggested-by: Peter Zijlstra <peterz@infradead.org> Co-developed-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: James Morris <jmorris@namei.org> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: rostedt@goodmis.org Cc: Yonghong Song <yhs@fb.com> Cc: Kees Cook <keescook@chromium.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: jeffv@google.com Cc: Jiri Olsa <jolsa@redhat.com> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: primiano@google.com Cc: Song Liu <songliubraving@fb.com> Cc: rsavitski@google.com Cc: Namhyung Kim <namhyung@kernel.org> Cc: Matthew Garrett <matthewgarrett@google.com> Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org Bug: 137092007 (cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e) [ Ryan Savitski: resolved merge conflicts with perf_event_paranoid=3 code ] Signed-off-by: Ryan Savitski <rsavitski@google.com> [ Ryan Savitski: Folded in upstream ae79d5588a04 (perf/core: Fix !CONFIG_PERF_EVENTS build warnings and failures). This should fix the build errors from the previous backport attempt, where certain configurations would end up with functions referring to the perf_event struct prior to its declaration (and therefore declaring it with a different scope). ] Signed-off-by: Ryan Savitski <rsavitski@google.com> Change-Id: I50769ede23fbfd8996657c6dae99cab98a3042bc	2020-01-09 21:25:09 +00:00
Greg Kroah-Hartman	813bf83282	This is the 5.4.9 stable release -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4W8EgACgkQONu9yGCS aT4szA//fqXI1OQ3xcCt5s9MYZYYa6IpX/VZ0H7lNC/7pkJzccKo+aSer7ppEn4o ND8sHNx/lhfZorhvLdqJK4PLThC+fXmXnLvFOzqvZeUVyesnv9zlhd/5JNu18Fvc RNjcIRIAHFwanZLAw8uft1DIZXcZ8wNkAAugn/WQV3FN/TG+FsrDzWYnmbBhRIQS XC/2jSlFpMTKoExNzEdbduG0XH5plWeE+AdY3a+DQsOBUO2XrAuk5HTEByM1jzPV W7U9vMqvw3OyrERcA0lmjs37Waw1e0qzfUaa8Bman5Uc0StOTq0UwschX21SB5yP MvbAKhqaKtSff7b4lNrDP9Kj1O/lH84WPSn/aao9D083m/ZYdkkd4AWMlS480lL5 oJ28tFbgwLayIqDbwCggHluTsNUdQSTwahVbnp4GMqxfjWrApdLPCqloSb+x9JCF 9pWJf3awI53mA864pH/uOM7pDOz5/c/oJ4QzVmOmR48dsddorY+gPcwk+YpElJcZ +xCBQDN5JkNC7lwqu2lvaoq/5cMC5lO/v6aeTfsYCRVnlNY12TY8z352zzMZfCKG GRkNvDqWZ5ZmQ+LblWRVbgdGxU42wIYXUS1jUdFd+5DRzz17+ZKUy7YbLNmZMcpY UyiM2Ij7X7HsNGrYDKFq0lZPw6k7v3FshvMwQ8C6dNk+l3o9oCA= =M+hs -----END PGP SIGNATURE----- Merge 5.4.9 into android-5.4 Changes in 5.4.9 drm/mcde: dsi: Fix invalid pointer dereference if panel cannot be found nvme_fc: add module to ops template to allow module references nvme-fc: fix double-free scenarios on hw queues drm/amdgpu: add check before enabling/disabling broadcast mode drm/amdgpu: add header line for power profile on Arcturus drm/amdgpu: add cache flush workaround to gfx8 emit_fence drm/amd/display: Map DSC resources 1-to-1 if numbers of OPPs and DSCs are equal drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI dongle drm/amd/display: Change the delay time before enabling FEC drm/amd/display: Reset steer fifo before unblanking the stream drm/amd/display: update dispclk and dppclk vco frequency nvme/pci: Fix write and poll queue types nvme/pci: Fix read queue count iio: st_accel: Fix unused variable warning iio: adc: max9611: Fix too short conversion time delay PM / devfreq: Fix devfreq_notifier_call returning errno PM / devfreq: Set scaling_max_freq to max on OPP notifier error PM / devfreq: Don't fail devfreq_dev_release if not in list afs: Fix afs_find_server lookups for ipv4 peers afs: Fix SELinux setting security label on /afs RDMA/cma: add missed unregister_pernet_subsys in init failure rxe: correctly calculate iCRC for unaligned payloads scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func scsi: qla2xxx: Use explicit LOGO in target mode scsi: qla2xxx: Drop superfluous INIT_WORK of del_work scsi: qla2xxx: Don't call qlt_async_event twice scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length scsi: qla2xxx: Configure local loop for N2N target scsi: qla2xxx: Send Notify ACK after N2N PLOGI scsi: qla2xxx: Don't defer relogin unconditonally scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI scsi: iscsi: qla4xxx: fix double free in probe scsi: libsas: stop discovering if oob mode is disconnected scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func staging/wlan-ng: add CRC32 dependency in Kconfig drm/nouveau: Move the declaration of struct nouveau_conn_atom up a bit drm/nouveau: Fix drm-core using atomic code-paths on pre-nv50 hardware drm/nouveau/kms/nv50-: fix panel scaling usb: gadget: fix wrong endpoint desc net: make socket read/write_iter() honor IOCB_NOWAIT afs: Fix mountpoint parsing afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP raid5: need to set STRIPE_HANDLE for batch head md: raid1: check rdev before reference in raid1_sync_request func s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits s390/cpum_sf: Avoid SBD overflow condition in irq handler RDMA/counter: Prevent auto-binding a QP which are not tracked with res IB/mlx4: Follow mirror sequence of device add during device removal IB/mlx5: Fix steering rule of drop and count xen-blkback: prevent premature module unload xen/balloon: fix ballooned page accounting without hotplug enabled PM / hibernate: memory_bm_find_bit(): Tighten node optimisation ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC PCI: Add a helper to check Power Resource Requirements _PR3 existence ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound to a driver PCI: Fix missing inline for pci_pr3_present() ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen tcp: fix data-race in tcp_recvmsg() shmem: pin the file in shmem_fault() if mmap_sem is dropped taskstats: fix data-race ALSA: hda - Downgrade error message for single-cmd fallback netfilter: nft_tproxy: Fix port selector on Big Endian block: add bio_truncate to fix guard_bio_eod mm: drop mmap_sem before calling balance_dirty_pages() in write fault ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code ALSA: usb-audio: fix set_format altsetting sanity check ALSA: usb-audio: set the interface format after resume on Dell WD19 ALSA: hda - Apply sync-write workaround to old Intel platforms, too ALSA: hda/realtek - Add headset Mic no shutup for ALC283 drm/sun4i: hdmi: Remove duplicate cleanup calls drm/amdgpu/smu: add metrics table lock drm/amdgpu/smu: add metrics table lock for arcturus (v2) drm/amdgpu/smu: add metrics table lock for navi (v2) drm/amdgpu/smu: add metrics table lock for vega20 (v2) MIPS: BPF: Disable MIPS32 eBPF JIT MIPS: BPF: eBPF JIT: check for MIPS ISA compliance in Kconfig MIPS: Avoid VDSO ABI breakage due to global register variable media: pulse8-cec: fix lost cec_transmit_attempt_done() call media: cec: CEC 2.0-only bcast messages were ignored media: cec: avoid decrementing transmit_queue_sz if it is 0 media: cec: check 'transmit_in_progress', not 'transmitting' mm/memory_hotplug: shrink zones when offlining memory mm/zsmalloc.c: fix the migrated zspage statistics. memcg: account security cred as well to kmemcg mm: move_pages: return valid node id in status if the page is already on the target node mm/oom: fix pgtables units mismatch in Killed process message ocfs2: fix the crash due to call ocfs2_get_dlm_debug once less pstore/ram: Write new dumps to start of recycled zones pstore/ram: Fix error-path memory leak in persistent_ram_new() callers gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again locks: print unsigned ino in /proc/locks selftests/seccomp: Zero out seccomp_notif seccomp: Check that seccomp_notif is zeroed out by the user samples/seccomp: Zero out members based on seccomp_notif_sizes selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV dmaengine: Fix access to uninitialized dma_slave_caps dmaengine: dma-jz4780: Also break descriptor chains on JZ4725B Btrfs: fix infinite loop during nocow writeback due to race compat_ioctl: block: handle Persistent Reservations compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE compat_ioctl: block: handle BLKGETZONESZ/BLKGETNRZONES bpf: Fix precision tracking for unbounded scalars ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys() ata: ahci_brcm: Fix AHCI resources management ata: ahci_brcm: Add missing clock management during recovery ata: ahci_brcm: BCM7425 AHCI requires AHCI_HFLAG_DELAY_ENGINE libata: Fix retrieving of active qcs gpio: xtensa: fix driver build gpiolib: fix up emulated open drain outputs clocksource: riscv: add notrace to riscv_sched_clock riscv: ftrace: correct the condition logic in function graph tracer rseq/selftests: Fix: Namespace gettid() for compatibility with glibc 2.30 tracing: Fix lock inversion in trace_event_enable_tgid_record() tracing: Avoid memory leak in process_system_preds() tracing: Have the histogram compare functions convert to u64 first tracing: Fix endianness bug in histogram trigger samples/trace_printk: Wait for IRQ work to finish io_uring: use current task creds instead of allocating a new one mm/gup: fix memory leak in __gup_benchmark_ioctl apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock dmaengine: virt-dma: Fix access after free in vchan_complete() gen_initramfs_list.sh: fix 'bad variable name' error ALSA: cs4236: fix error return comparison of an unsigned integer ALSA: pcm: Yet another missing check of non-cached buffer type ALSA: firewire-motu: Correct a typo in the clock proc string scsi: lpfc: Fix rpi release when deleting vport exit: panic before exit_mm() on global init exit arm64: Revert support for execute-only user mappings ftrace: Avoid potential division by zero in function profiler spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode drm/msm: include linux/sched/task.h PM / devfreq: Check NULL governor in available_governors_show sunrpc: fix crash when cache_head become valid before update arm64: dts: qcom: msm8998-clamshell: Remove retention idle state nfsd4: fix up replay_matches_cache() powerpc: Chunk calls to flush_dcache_range in arch_*_memory HID: i2c-hid: Reset ALPS touchpads on resume net/sched: annotate lockless accesses to qdisc->empty kernel/module.c: wakeup processes in module_wq on module unload ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100 perf callchain: Fix segfault in thread__resolve_callchain_sample() iommu/vt-d: Remove incorrect PSI capability check of: overlay: add_changeset_property() memory leak cifs: Fix potential softlockups while refreshing DFS cache firmware: arm_scmi: Avoid double free in error flow xfs: don't check for AG deadlock for realtime files in bunmapi platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table netfilter: nf_queue: enqueue skbs with NULL dst net, sysctl: Fix compiler warning when only cBPF is present watchdog: tqmx86_wdt: Fix build error regulator: axp20x: Fix axp20x_set_ramp_delay regulator: bd70528: Remove .set_ramp_delay for bd70528_ldo_ops spi: uniphier: Fix FIFO threshold regulator: axp20x: Fix AXP22x ELDO2 regulator enable bitmask powerpc/mm: Mark get_slice_psize() & slice_addr_is_low() as notrace Bluetooth: btusb: fix PM leak in error case of setup Bluetooth: delete a stray unlock Bluetooth: Fix memory leak in hci_connect_le_scan arm64: dts: meson-gxl-s905x-khadas-vim: fix uart_A bluetooth node arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node media: flexcop-usb: ensure -EIO is returned on error condition regulator: ab8500: Remove AB8505 USB regulator media: usb: fix memory leak in af9005_identify_state dt-bindings: clock: renesas: rcar-usb2-clock-sel: Fix typo in example arm64: dts: meson: odroid-c2: Disable usb_otg bus to avoid power failed warning phy: renesas: rcar-gen3-usb2: Use platform_get_irq_optional() for optional irq tty: serial: msm_serial: Fix lockup for sysrq and oops cifs: Fix lookup of root ses in DFS referral cache fs: cifs: Fix atime update check vs mtime fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP ath9k_htc: Modify byte order for an error message ath9k_htc: Discard undersized packets drm/i915/execlists: Fix annotation for decoupling virtual request xfs: periodically yield scrub threads to the scheduler net: add annotations on hh->hh_len lockless accesses ubifs: ubifs_tnc_start_commit: Fix OOB in layout_in_gaps btrfs: get rid of unique workqueue helper functions Btrfs: only associate the locked page with one async_chunk struct s390/smp: fix physical to logical CPU map for SMT mm/sparse.c: mark populate_section_memmap as __meminit xen/blkback: Avoid unmapping unmapped grant pages lib/ubsan: don't serialize UBSAN report efi: Don't attempt to map RCI2 config table if it doesn't exist perf/x86/intel/bts: Fix the use of page_private() net: annotate lockless accesses to sk->sk_pacing_shift hsr: avoid debugfs warning message when module is remove hsr: fix error handling routine in hsr_dev_finalize() hsr: fix a race condition in node list insertion and deletion mm/hugetlb: defer freeing of huge pages if in non-task context Linux 5.4.9 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8eebcdac421faf74f70af8e8666abfdcdc45c86b	2020-01-09 16:00:18 +01:00
Greg Kroah-Hartman	49a04248ba	Revert "BACKPORT: perf_event: Add support for LSM and SELinux checks" This reverts commit `3605586e90` as it breaks the build :( Cc: Ryan Savitski <rsavitski@google.com> Cc: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>	2020-01-09 10:57:30 +01:00
John Johansen	e0d2bf5a01	apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock commit 8c62ed27a12c00e3db1c9f04bc0f272bdbb06734 upstream. aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a context protected by an rcu_read_lock. This can not be done as vfs_getxattr_alloc() may sleep regardles of the gfp_t value being passed to it. Fix this by breaking the rcu_read_lock on the policy search when the xattr match feature is requested and restarting the search if a policy changes occur. Fixes: `8e51f9087f` ("apparmor: Add support for attaching profiles via xattr, presence and value") Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-01-09 10:20:00 +01:00
Joel Fernandes (Google)	3605586e90	BACKPORT: perf_event: Add support for LSM and SELinux checks In current mainline, the degree of access to perf_event_open(2) system call depends on the perf_event_paranoid sysctl. This has a number of limitations: 1. The sysctl is only a single value. Many types of accesses are controlled based on the single value thus making the control very limited and coarse grained. 2. The sysctl is global, so if the sysctl is changed, then that means all processes get access to perf_event_open(2) opening the door to security issues. This patch adds LSM and SELinux access checking which will be used in Android to access perf_event_open(2) for the purposes of attaching BPF programs to tracepoints, perf profiling and other operations from userspace. These operations are intended for production systems. 5 new LSM hooks are added: 1. perf_event_open: This controls access during the perf_event_open(2) syscall itself. The hook is called from all the places that the perf_event_paranoid sysctl is checked to keep it consistent with the systctl. The hook gets passed a 'type' argument which controls CPU, kernel and tracepoint accesses (in this context, CPU, kernel and tracepoint have the same semantics as the perf_event_paranoid sysctl). Additionally, I added an 'open' type which is similar to perf_event_paranoid sysctl == 3 patch carried in Android and several other distros but was rejected in mainline [1] in 2016. 2. perf_event_alloc: This allocates a new security object for the event which stores the current SID within the event. It will be useful when the perf event's FD is passed through IPC to another process which may try to read the FD. Appropriate security checks will limit access. 3. perf_event_free: Called when the event is closed. 4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event. 5. perf_event_write: Called from the ioctl(2) syscalls for the event. [1] https://lwn.net/Articles/696240/ Since Peter had suggest LSM hooks in 2016 [1], I am adding his Suggested-by tag below. To use this patch, we set the perf_event_paranoid sysctl to -1 and then apply selinux checking as appropriate (default deny everything, and then add policy rules to give access to domains that need it). In the future we can remove the perf_event_paranoid sysctl altogether. Suggested-by: Peter Zijlstra <peterz@infradead.org> Co-developed-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: James Morris <jmorris@namei.org> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: rostedt@goodmis.org Cc: Yonghong Song <yhs@fb.com> Cc: Kees Cook <keescook@chromium.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: jeffv@google.com Cc: Jiri Olsa <jolsa@redhat.com> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: primiano@google.com Cc: Song Liu <songliubraving@fb.com> Cc: rsavitski@google.com Cc: Namhyung Kim <namhyung@kernel.org> Cc: Matthew Garrett <matthewgarrett@google.com> Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org Bug: 137092007 Change-Id: I5df32b668e2dd5f2dd3ab472dfc74f533bc4d8db (cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e) [ Ryan Savitski: resolved merge conflicts with perf_event_paranoid=3 code ] Signed-off-by: Ryan Savitski <rsavitski@google.com>	2020-01-08 13:41:18 +00:00
Jeff Vander Stoep	20810a2469	UPSTREAM: selinux: sidtab reverse lookup hash table This replaces the reverse table lookup and reverse cache with a hashtable which improves cache-miss reverse-lookup times from O(n) to O(1)* and maintains the same performance as a reverse cache hit. This reduces the time needed to add a new sidtab entry from ~500us to 5us on a Pixel 3 when there are ~10,000 sidtab entries. The implementation uses the kernel's generic hashtable API, It uses the context's string represtation as the hash source, and the kernels generic string hashing algorithm full_name_hash() to reduce the string to a 32 bit value. This change also maintains the improvement introduced in commit `ee1a84fdfe` ("selinux: overhaul sidtab to fix bug and improve performance") which removed the need to keep the current sidtab locked during policy reload. It does however introduce periodic locking of the target sidtab while converting the hashtable. Sidtab entries are never modified or removed, so the context struct stored in the sid_to_context tree can also be used for the context_to_sid hashtable to reduce memory usage. This bug was reported by: - On the selinux bug tracker. BUG: kernel softlockup due to too many SIDs/contexts #37 https://github.com/SELinuxProject/selinux-kernel/issues/37 - Jovana Knezevic on Android's bugtracker. Bug: 140252993 "During multi-user performance testing, we create and remove users many times. selinux_android_restorecon_pkgdir goes from 1ms to over 20ms after about 200 user creations and removals. Accumulated over ~280 packages, that adds a significant time to user creation, making perf benchmarks unreliable." * Hashtable lookup is only O(1) when n < the number of buckets. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Reported-by: Stephen Smalley <sds@tycho.nsa.gov> Reported-by: Jovana Knezevic <jovanak@google.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Tested-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: subj tweak, removed changelog from patch description] Signed-off-by: Paul Moore <paul@paul-moore.com> (cherry picked from commit 66f8e2f03c02e812002f8e9e465681cc62edda5b) Bug: 140252993 Change-Id: Iead2a1d90731ae24fefec2a40af5ffdc457ac916 Signed-off-by: Jeff Vander Stoep <jeffv@google.com>	2020-01-06 16:05:39 +00:00
Greg Kroah-Hartman	de197c5a4f	This is the 5.4.8 stable release -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4Q1ycACgkQONu9yGCS aT5YRg//SPO6yX/WxWjac/ZHnKrarTqnIF1jxK++pLYZLpBeSHs/n5BhguJoL37s KVhCEdilnp1Fb49nuM65RJKqgvGyKxn9p380vNTkU6VUf/6O2lFN28nWVqWaSJqj kjb+7Jkn0iJ4LTHwGPeFSqvxG66SsjOJfFsR6bqXaGGFZgSwC4yVTqYhkuCV6TGP hEEcy7IgB9LT3lXHSQelG7cuc2Zs5MJSeLx+Ji+UQYyRIZwsMHJ1M8BvAI5Zd1J4 WrdJIVpyNAh5b65cXGuDYmSSIiqIFDNY43JbTII5RVEj/SjnJfnxDZ3+joJswJlo noty2f7cg7GiKH8BhNXvuVopFu3Ycz1/deMIu3S8boWBVFawwECb0akLuB7Ms1n1 QHeXFExZyHxhPnBPfJ2dYwXMIgImvVS/3nPW4CcBsRbBjqUKhQeImoqk41+gfGDb cZ0F7VUZ7Mq5O4raNYICMWoANqQTrXF9DUuA1e909CufP7BQBpw1X5XjITUBa0Gs gvFrAU4oyqkX9xUVNb+n5qR6X1OjBTTNhaet6l06fuDNeWf7T0gVoVlKOf4dLCqP uKy62Ps9QZsTsjgnjbdKuSFwlbu8S/qKrEqCnUS6vRYbrM2bUxkJL3D1xr6JHnGS aMzPOxdt4JvrppYtBCJQr+/ETQzv2A1l3IeIujldiKzNnsoIUeY= =mI67 -----END PGP SIGNATURE----- Merge 5.4.8 into android-5.4 Changes in 5.4.8 Revert "MIPS: futex: Restore \n after sync instructions" Revert "MIPS: futex: Emit Loongson3 sync workarounds within asm" scsi: lpfc: Fix spinlock_irq issues in lpfc_els_flush_cmd() scsi: lpfc: Fix discovery failures when target device connectivity bounces scsi: mpt3sas: Fix clear pending bit in ioctl status scsi: lpfc: Fix locking on mailbox command completion scsi: mpt3sas: Reject NVMe Encap cmnds to unsupported HBA gpio: mxc: Only get the second IRQ when there is more than one IRQ scsi: lpfc: Fix list corruption in lpfc_sli_get_iocbq Input: atmel_mxt_ts - disable IRQ across suspend f2fs: fix to update time in lazytime mode powerpc/papr_scm: Fix an off-by-one check in papr_scm_meta_{get, set} tools/power/x86/intel-speed-select: Remove warning for unused result platform/x86: peaq-wmi: switch to using polled mode of input devices iommu: rockchip: Free domain on .domain_free iommu/tegra-smmu: Fix page tables in > 4 GiB memory dmaengine: xilinx_dma: Clear desc_pendingcount in xilinx_dma_reset scsi: target: compare full CHAP_A Algorithm strings scsi: lpfc: Fix hardlockup in lpfc_abort_handler scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices scsi: csiostor: Don't enable IRQs too early scsi: hisi_sas: Replace in_softirq() check in hisi_sas_task_exec() scsi: hisi_sas: Delete the debugfs folder of hisi_sas when the probe fails powerpc/pseries: Mark accumulate_stolen_time() as notrace powerpc/pseries: Don't fail hash page table insert for bolted mapping Input: st1232 - do not reset the chip too early selftests/powerpc: Fixup clobbers for TM tests powerpc/tools: Don't quote $objdump in scripts dma-debug: add a schedule point in debug_dma_dump_mappings() dma-mapping: Add vmap checks to dma_map_single() dma-mapping: fix handling of dma-ranges for reserved memory (again) dmaengine: fsl-qdma: Handle invalid qdma-queue0 IRQ leds: lm3692x: Handle failure to probe the regulator leds: an30259a: add a check for devm_regmap_init_i2c leds: trigger: netdev: fix handling on interface rename clocksource/drivers/asm9260: Add a check for of_clk_get clocksource/drivers/timer-of: Use unique device name instead of timer dtc: Use pkg-config to locate libyaml selftests/powerpc: Skip tm-signal-sigreturn-nt if TM not available powerpc/security/book3s64: Report L1TF status in sysfs powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning ext4: update direct I/O read lock pattern for IOCB_NOWAIT ext4: iomap that extends beyond EOF should be marked dirty jbd2: Fix statistics for the number of logged blocks scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) scsi: lpfc: Fix unexpected error messages during RSCN handling scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow f2fs: fix to update dir's i_pino during cross_rename clk: qcom: smd: Add missing pnoc clock clk: qcom: Allow constant ratio freq tables for rcg clk: clk-gpio: propagate rate change to parent irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary irqchip: ingenic: Error out if IRQ domain creation failed dma-direct: check for overflows on 32 bit DMA addresses fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long iommu/arm-smmu-v3: Don't display an error when IRQ lines are missing i2c: stm32f7: fix & reorder remove & probe error handling iomap: fix return value of iomap_dio_bio_actor on 32bit systems Input: ili210x - handle errors from input_mt_init_slots() scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences scsi: zorro_esp: Limit DMA transfers to 65536 bytes (except on Fastlane) PCI: rpaphp: Fix up pointer to first drc-info entry scsi: ufs: fix potential bug which ends in system hang powerpc/pseries/cmm: Implement release() function for sysfs device PCI: rpaphp: Don't rely on firmware feature to imply drc-info support PCI: rpaphp: Annotate and correctly byte swap DRC properties PCI: rpaphp: Correctly match ibm, my-drc-index to drc-name when using drc-info powerpc/security: Fix wrong message when RFI Flush is disable powerpc/eeh: differentiate duplicate detection message powerpc/book3s/mm: Update Oops message to print the correct translation in use scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE clk: pxa: fix one of the pxa RTC clocks bcache: at least try to shrink 1 node in bch_mca_scan() HID: quirks: Add quirk for HP MSU1465 PIXART OEM mouse dt-bindings: Improve validation build error handling HID: logitech-hidpp: Silence intermittent get_battery_capacity errors HID: i2c-hid: fix no irq after reset on raydium 3118 ARM: 8937/1: spectre-v2: remove Brahma-B53 from hardening libnvdimm/btt: fix variable 'rc' set but not used HID: Improve Windows Precision Touchpad detection. HID: rmi: Check that the RMI_STARTED bit is set before unregistering the RMI transport device watchdog: imx7ulp: Fix reboot hang watchdog: prevent deferral of watchdogd wakeup on RT watchdog: Fix the race between the release of watchdog_core_data and cdev powerpc/fixmap: Use __fix_to_virt() instead of fix_to_virt() scsi: pm80xx: Fix for SATA device discovery scsi: ufs: Fix error handing during hibern8 enter scsi: scsi_debug: num_tgts must be >= 0 scsi: NCR5380: Add disconnect_mask module parameter scsi: target: core: Release SPC-2 reservations when closing a session scsi: ufs: Fix up auto hibern8 enablement scsi: iscsi: Don't send data to unbound connection scsi: target: iscsi: Wait for all commands to finish before freeing a session f2fs: Fix deadlock in f2fs_gc() context during atomic files handling habanalabs: skip VA block list update in reset flow gpio/mpc8xxx: fix qoriq GPIO reading platform/x86: intel_pmc_core: Fix the SoC naming inconsistency platform/x86: intel_pmc_core: Add Comet Lake (CML) platform support to intel_pmc_core driver gpio: mpc8xxx: Don't overwrite default irq_set_type callback gpio: lynxpoint: Setup correct IRQ handlers tools/power/x86/intel-speed-select: Ignore missing config level Drivers: hv: vmbus: Fix crash handler reset of Hyper-V synic apparmor: fix unsigned len comparison with less than zero drm/amdgpu: Call find_vma under mmap_sem scripts/kallsyms: fix definitely-lost memory leak powerpc: Don't add -mabi= flags when building with Clang cifs: Fix use-after-free bug in cifs_reconnect() um: virtio: Keep reading on -EAGAIN io_uring: io_allocate_scq_urings() should return a sane state of: unittest: fix memory leak in attach_node_and_children cdrom: respect device capabilities during opening action cifs: move cifsFileInfo_put logic into a work-queue perf diff: Use llabs() with 64-bit values perf script: Fix brstackinsn for AUXTRACE perf regs: Make perf_reg_name() return "unknown" instead of NULL s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR mailbox: imx: Clear the right interrupts at shutdown libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h s390/unwind: filter out unreliable bogus %r14 s390/cpum_sf: Check for SDBT and SDB consistency ocfs2: fix passing zero to 'PTR_ERR' warning mailbox: imx: Fix Tx doorbell shutdown path s390: disable preemption when switching to nodat stack with CALL_ON_STACK selftests: vm: add fragment CONFIG_TEST_VMALLOC mm/hugetlbfs: fix error handling when setting up mounts kernel: sysctl: make drop_caches write-only userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK Revert "powerpc/vcpu: Assume dedicated processors as non-preempt" sctp: fix err handling of stream initialization md: make sure desc_nr less than MD_SB_DISKS Revert "iwlwifi: assign directly to iwl_trans->cfg in QuZ detection" netfilter: ebtables: compat: reject all padding in matches/watchers 6pack,mkiss: fix possible deadlock powerpc: Fix __clear_user() with KUAP enabled net/smc: add fallback check to connect() netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() inetpeer: fix data-race in inet_putpeer / inet_putpeer net: add a READ_ONCE() in skb_peek_tail() net: icmp: fix data-race in cmp_global_allow() hrtimer: Annotate lockless access to timer->state tomoyo: Don't use nifty names on sockets. uaccess: disallow > INT_MAX copy sizes drm: limit to INT_MAX in create_blob ioctl xfs: fix mount failure crash on invalid iclog memory access cxgb4/cxgb4vf: fix flow control display for auto negotiation net: dsa: bcm_sf2: Fix IP fragment location and behavior net/mlxfw: Fix out-of-memory error in mfa2 flash burning net: phy: aquantia: add suspend / resume ops for AQR105 net/sched: act_mirred: Pull mac prior redir to non mac_header_xmit device net/sched: add delete_empty() to filters and use it in cls_flower net_sched: sch_fq: properly set sk->sk_pacing_status net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs ptp: fix the race between the release of ptp_clock and cdev tcp: Fix highest_sack and highest_sack_seq udp: fix integer overflow while computing available space in sk_rcvbuf bnxt_en: Fix MSIX request logic for RDMA driver. bnxt_en: Free context memory in the open path if firmware has been reset. bnxt_en: Return error if FW returns more data than dump length bnxt_en: Fix bp->fw_health allocation and free logic. bnxt_en: Remove unnecessary NULL checks for fw_health bnxt_en: Fix the logic that creates the health reporters. bnxt_en: Add missing devlink health reporters for VFs. mlxsw: spectrum_router: Skip loopback RIFs during MAC validation mlxsw: spectrum: Use dedicated policer for VRRP packets net: add bool confirm_neigh parameter for dst_ops.update_pmtu ip6_gre: do not confirm neighbor when do pmtu update gtp: do not confirm neighbor when do pmtu update net/dst: add new function skb_dst_update_pmtu_no_confirm tunnel: do not confirm neighbor when do pmtu update vti: do not confirm neighbor when do pmtu update sit: do not confirm neighbor when do pmtu update net/dst: do not confirm neighbor for vxlan and geneve pmtu update net: dsa: sja1105: Reconcile the meaning of TPID and TPID2 for E/T and P/Q/R/S net: marvell: mvpp2: phylink requires the link interrupt gtp: fix wrong condition in gtp_genl_dump_pdp() gtp: avoid zero size hashtable bonding: fix active-backup transition after link failure tcp: do not send empty skb from tcp_write_xmit() tcp/dccp: fix possible race __inet_lookup_established() hv_netvsc: Fix tx_table init in rndis_set_subchannel() gtp: fix an use-after-free in ipv4_pdp_find() gtp: do not allow adding duplicate tid and ms_addr pdp context bnxt: apply computed clamp value for coalece parameter ipv6/addrconf: only check invalid header values when NETLINK_F_STRICT_CHK is set net: phylink: fix interface passed to mac_link_up net: ena: fix napi handler misbehavior when the napi budget is zero vhost/vsock: accept only packets with the right dst_cid mmc: sdhci-of-esdhc: fix up erratum A-008171 workaround mmc: sdhci-of-esdhc: re-implement erratum A-009204 workaround mm/hugetlbfs: fix for_each_hstate() loop in init_hugetlbfs_fs() Linux 5.4.8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9962505e7207f0004499de4666df6862105e990d	2020-01-04 19:40:03 +01:00
Tetsuo Handa	9c24cc6a9d	tomoyo: Don't use nifty names on sockets. commit 6f7c41374b62fd80bbd8aae3536c43688c54d95e upstream. syzbot is reporting that use of SOCKET_I()->sk from open() can result in use after free problem [1], for socket's inode is still reachable via /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed. At first I thought that this race condition applies to only open/getattr permission checks. But James Morris has pointed out that there are more permission checks where this race condition applies to. Thus, get rid of tomoyo_get_socket_name() instead of conditionally bypassing permission checks on sockets. As a side effect of this patch, "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be rewritten to "socket:[\$]". [1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reported-by: syzbot <syzbot+0341f6a4d729d4e0acf1@syzkaller.appspotmail.com> Reported-by: James Morris <jmorris@namei.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-01-04 19:18:42 +01:00
Colin Ian King	4f13232aa6	apparmor: fix unsigned len comparison with less than zero [ Upstream commit 00e0590dbaec6f1bcaa36a85467d7e3497ced522 ] The sanity check in macro update_for_len checks to see if len is less than zero, however, len is a size_t so it can never be less than zero, so this sanity check is a no-op. Fix this by making len a ssize_t so the comparison will work and add ulen that is a size_t copy of len so that the min() macro won't throw warnings about comparing different types. Addresses-Coverity: ("Macro compares unsigned to 0") Fixes: `f1bd904175` ("apparmor: add the base fns() for domain labels") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org>	2020-01-04 19:18:22 +01:00
Mark Salyzyn	3484eba91d	FROMLIST: Add flags option to get xattr method paired to __vfs_getxattr Add a flag option to get xattr method that could have a bit flag of XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then set in the __vfs_getxattr path when called by security infrastructure. This handles the case of a union filesystem driver that is being requested by the security layer to report back the xattr data. For the use case where access is to be blocked by the security layer. The path then could be security(dentry) -> __vfs_getxattr(dentry...XATTR_NOSECURITY) -> handler->get(dentry...XATTR_NOSECURITY) -> __vfs_getxattr(lower_dentry...XATTR_NOSECURITY) -> lower_handler->get(lower_dentry...XATTR_NOSECURITY) which would report back through the chain data and success as expected, the logging security layer at the top would have the data to determine the access permissions and report back the target context that was blocked. Without the get handler flag, the path on a union filesystem would be the errant security(dentry) -> __vfs_getxattr(dentry) -> handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested -> security(lower_dentry, log off) -> lower_handler->get(lower_dentry) which would report back through the chain no data, and -EACCES. For selinux for both cases, this would translate to a correctly determined blocked access. In the first case with this change a correct avc log would be reported, in the second legacy case an incorrect avc log would be reported against an uninitialized u:object_r:unlabeled:s0 context making the logs cosmetically useless for audit2allow. This patch series is inert and is the wide-spread addition of the flags option for xattr functions, and a replacement of __vfs_getxattr with __vfs_getxattr(...XATTR_NOSECURITY). Signed-off-by: Mark Salyzyn <salyzyn@android.com> Reviewed-by: Jan Kara <jack@suse.cz> Acked-by: Jan Kara <jack@suse.cz> Acked-by: Jeff Layton <jlayton@kernel.org> Acked-by: David Sterba <dsterba@suse.com> Acked-by: Darrick J. Wong <darrick.wong@oracle.com> Acked-by: Mike Marshall <hubcap@omnibond.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: linux-kernel@vger.kernel.org Cc: kernel-team@android.com Cc: linux-security-module@vger.kernel.org (cherry picked from (rejected from archive because of too many recipients)) Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 133515582 Bug: 136124883 Bug: 129319403 Change-Id: Iabbb8771939d5f66667a26bb23ddf4c562c349a1	2019-11-05 13:50:57 -08:00
Greg Kroah-Hartman	2a71bdee3f	Linux 5.4-rc6 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl2/T6oeHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGB7kH/2asrl7RylHPQfsI pkjPPq32MHLq6Zmr8y0N0hyJCm1Dxu8qCIktqrEV5vsbKdv5pb8EMdQRlhJUtR8e TZdYDGHiL0sFb2HYiEvL0qD9BNeI+Kftw/kUffVXRzyMWex/f5S6mW5QNTuv9SQT Zfa+sXreFPCCyd3jhQFRyguogaCXBmTYvO6glmc96Yi4nA1URtIxNXhXumoklElF 8Ka7UqtoJk2nPns+oV9I5xohghgJHHjA3A96WURku1UdO9dRoHiyS05RjnijBxsk ffenk09qbGvnvvgP93Q23CoTO8ndIm12ZL8C9jX49CS21j5SVG0PLPhS08f70vEf h5K/OtE= =nmDP -----END PGP SIGNATURE----- Merge 5.4-rc6 into android-mainline Linux 5.4-rc6 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I211f7159a46cf2a3dbb18afe56777cae1c13ac73	2019-11-04 06:51:47 +01:00
Javier Martinez Canillas	359efcc2c9	efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Laszlo Ersek <lersek@redhat.com> Acked-by: Matthew Garrett <mjg59@google.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>	2019-10-31 09:40:21 +01:00
Greg Kroah-Hartman	630839ac24	Linux 5.4-rc3 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl2jtUYeHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGL28H/Akb3JEXNKHCv3MI 89dzKlLgf/W/e0qJirb9/YdcUL462NUFoC0Bg0qLgLFYdhT94Zp5J68C4oZPJfxA /LrTDsHWrbUtTvhxJqMueVT3JTpkF36ZTvTGwLTHzTqexM/o3kuDWjWTTxZlMGbX Uais/ywmmCVCmaX8IJ3GJFGCJse+T1W73VOSo7bm6C+Ruy6Euwasa9kc40uHiPpD 6Xew9j9AJ0xIV96sLzDFOYAXYFQBZnAbFLA+Ho53TiuG78J6MP4Pm9+1VhMyF1uH mgeA5GAfKpqq/QXf32iMU7s7HTdoF5r1UaQJtu+p6BFTGhd7LrDrh4gA/9Wyv7+t 9stS20U= =ima3 -----END PGP SIGNATURE----- Merge 5.4-rc3 into android-mainline Linux 5.4-rc3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia87ba662738dd58ddb917e32c1fbd812861e7a46	2019-10-17 05:28:13 -07:00
Linus Torvalds	2ef459167a	selinux/stable-5.4 PR 20191007 -----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl2bu6kUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXMsxhAAtoljww3Xur0JpD7y+g2yzKGZqn9F ovqH103NOdpXY3vRN5TL0ZfKEWZz/a2Rjyjz/9+Ix5kKFQuaguk9TVenp4LuAWjy yyo8aSArqwJEpPbrgQDRkjvq08zCcsHSQHwyR44L5MEB8w03Hr+GKFbroR7DkB8R qthF5nRoarblEpdc88s3WbPN/Yz32zRwl3EppSRriIBSBUNr6OP5yO6YDvBdwJso CvmQybMK/iGiZrDzm5jAXzUyI79MHkrrB55roNXIdam9Rnyb9Wqjt9SQgzDLTvO1 Z7c4pXqDn1iMSECAqR7EeKLmsEvnp8omDMqbZOsGiWwka93nuNM4NRhswMF6X3pf EbmBAuj0CokWlRoJAxyxrw/Tn+KXWjyOpOMoNQR7dyyewenzPTWw4zLhiSsl4Epo e1+3PDkJeZhlrtqMcQhep/OgfnPp/8FlgZXNkq1wsMK6SawIiwvxH3mpELE4I8Zk 3yzYZvnxIDNLcx6TmDgDcJyp+P/iuFGK707G6ogCoCK9VqyTs+nwdZn3s2o1KRDW 00LdiuXiqOyfdDthfY/q5suKJoWExh+K1dhQ7Llx169yx3uOjlnzTaSTt8dcvhkh Y+Nf5pEk0MVgnldaIRy/Zzr4y81Q7QW6ZwD62NHCIhcSevYczFOP7K6V/mYFmDT1 xlCDPXeHyuR5DrM= =btWt -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinuxfix from Paul Moore: "One patch to ensure we don't copy bad memory up into userspace" * tag 'selinux-pr-20191007' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: fix context string corruption in convert_context()	2019-10-08 10:51:37 -07:00
Greg Kroah-Hartman	8e9e0abf99	Linux 5.4-rc2 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl2aXEoeHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGZKUH/1S+unzPxmXwraBl ORnOSMCaoepaCS2kc4nFim3hpnwzuFLn8NHPSARPPBO7Jy9Shtku0om66rF6R4DD zoe/QSLvtUqiVU6xuPR8ymjeizN+qj+9RT8tDftCs2QCBqZ/jr/kKiiA32aipnrz IBC+I6eKFN0WqBep5NwAkIAok+JiUBMIEuEXjkF2q0Vw9fnmmNRMm6rPDk1dHgQi K6mr8N3Vbsdadn/XBt4DRje2c593cfOnryPUwyIIBGw5W6EECX6k9CeD+CNNxLYb mPNC34wQsqvbAOsP6Y+2lBLZw+0AG5uLytDrwNNO1JKSEYMSG6wH4t7C6w0IlTQt OkYK3S0= =0ny6 -----END PGP SIGNATURE----- Merge 5.4-rc2 into android-mainline Linux 5.4-rc2 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Idfe13500feef5c1095d06c419fa121f751daa459	2019-10-07 07:09:37 +02:00
Masahiro Yamada	7a8beb7ad5	integrity: remove pointless subdir-$(CONFIG_...) The ima/ and evm/ sub-directories contain built-in objects, so obj-$(CONFIG_...) is the correct way to descend into them. subdir-$(CONFIG_...) is redundant. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>	2019-10-05 15:29:49 +09:00
Masahiro Yamada	6b190d3ce0	integrity: remove unneeded, broken attempt to add -fshort-wchar I guess commit `15ea0e1e3e` ("efi: Import certificates from UEFI Secure Boot") attempted to add -fshort-wchar for building load_uefi.o, but it has never worked as intended. load_uefi.o is created in the platform_certs/ sub-directory. If you really want to add -fshort-wchar, the correct code is: $(obj)/platform_certs/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar But, you do not need to fix it. Commit `8c97023cf0` ("Kbuild: use -fshort-wchar globally") had already added -fshort-wchar globally. This code was unneeded in the first place. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>	2019-10-05 15:29:49 +09:00
Ondrej Mosnacek	2a5243937c	selinux: fix context string corruption in convert_context() string_to_context_struct() may garble the context string, so we need to copy back the contents again from the old context struct to avoid storing the corrupted context. Since string_to_context_struct() tokenizes (and therefore truncates) the context string and we are later potentially copying it with kstrdup(), this may eventually cause pieces of uninitialized kernel memory to be disclosed to userspace (when copying to userspace based on the stored length and not the null character). How to reproduce on Fedora and similar: # dnf install -y memcached # systemctl start memcached # semodule -d memcached # load_policy # load_policy # systemctl stop memcached # ausearch -m AVC type=AVC msg=audit(1570090572.648:313): avc: denied { signal } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon=73797374656D5F75007400000000000070BE6E847296FFFF726F6D000096FFFF76 Cc: stable@vger.kernel.org Reported-by: Milos Malik <mmalik@redhat.com> Fixes: `ee1a84fdfe` ("selinux: overhaul sidtab to fix bug and improve performance") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>	2019-10-03 14:13:36 -04:00
Greg Kroah-Hartman	cb33d78781	Linux 5.4-rc1 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl2SPPkeHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiG3dcH/2iCaNvD0Ify+Ke/ d0Ncf7KhBejfW1pjGjfpfbAQkdaY/gSLsWPJmQ2HT00SmnTJ4y3zvr/HmEE8mIBA fMzY4TFHMRNNEOrCugoNxzjU5ycgIMq5doontDdHeS7Pfa8mgDLLwH/dzoORA0+b T1ZZT3yDsQ92/jW97LEhTv7UcKqgBdVT5PauU/pe6LHpqmzn8XwdiKaNTM1uY8vw U9rIrYnfxCuLfxyK7xUp6bRUlqluZrY4U+pqEnGOVlFYX1xMjjPIE9sDHJ/z5WvY JSH4/aOqVxRII2oU0+uITsO658tS912iUsa8++F6Z5R1gZSqQD1FqrvW7Z0S58Ay vjXIX3Q= =epsM -----END PGP SIGNATURE----- Merge 5.4-rc1 into android-mainline Linux 5.4-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I15eec52df70f829acf81ff614a1c2a5fb443a4e0	2019-10-02 19:10:07 +02:00
Greg Kroah-Hartman	94139142d9	Merge 5.4-rc1-prelrease into android-mainline To make the 5.4-rc1 merge easier, merge at a prerelease point in time before the final release happens. Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If613d657fd0abf9910c5bf3435a745f01b89765e	2019-10-02 17:58:47 +02:00
Linus Torvalds	aefcf2f4b5	Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull kernel lockdown mode from James Morris: "This is the latest iteration of the kernel lockdown patchset, from Matthew Garrett, David Howells and others. From the original description: This patchset introduces an optional kernel lockdown feature, intended to strengthen the boundary between UID 0 and the kernel. When enabled, various pieces of kernel functionality are restricted. Applications that rely on low-level access to either hardware or the kernel may cease working as a result - therefore this should not be enabled without appropriate evaluation beforehand. The majority of mainstream distributions have been carrying variants of this patchset for many years now, so there's value in providing a doesn't meet every distribution requirement, but gets us much closer to not requiring external patches. There are two major changes since this was last proposed for mainline: - Separating lockdown from EFI secure boot. Background discussion is covered here: https://lwn.net/Articles/751061/ - Implementation as an LSM, with a default stackable lockdown LSM module. This allows the lockdown feature to be policy-driven, rather than encoding an implicit policy within the mechanism. The new locked_down LSM hook is provided to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. The included lockdown LSM provides an implementation with a simple policy intended for general purpose use. This policy provides a coarse level of granularity, controllable via the kernel command line: lockdown={integrity\|confidentiality} Enable the kernel lockdown feature. If set to integrity, kernel features that allow userland to modify the running kernel are disabled. If set to confidentiality, kernel features that allow userland to extract confidential information from the kernel are also disabled. This may also be controlled via /sys/kernel/security/lockdown and overriden by kernel configuration. New or existing LSMs may implement finer-grained controls of the lockdown features. Refer to the lockdown_reason documentation in include/linux/security.h for details. The lockdown feature has had signficant design feedback and review across many subsystems. This code has been in linux-next for some weeks, with a few fixes applied along the way. Stephen Rothwell noted that commit `9d1f8be5cf` ("bpf: Restrict bpf when kernel lockdown is in confidentiality mode") is missing a Signed-off-by from its author. Matthew responded that he is providing this under category (c) of the DCO" * 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (31 commits) kexec: Fix file verification on S390 security: constify some arrays in lockdown LSM lockdown: Print current->comm in restriction messages efi: Restrict efivar_ssdt_load when the kernel is locked down tracefs: Restrict tracefs when the kernel is locked down debugfs: Restrict debugfs when the kernel is locked down kexec: Allow kexec_file() with appropriate IMA policy when locked down lockdown: Lock down perf when in confidentiality mode bpf: Restrict bpf when kernel lockdown is in confidentiality mode lockdown: Lock down tracing and perf kprobes when in confidentiality mode lockdown: Lock down /proc/kcore x86/mmiotrace: Lock down the testmmiotrace module lockdown: Lock down module params that specify hardware parameters (eg. ioport) lockdown: Lock down TIOCSSERIAL lockdown: Prohibit PCMCIA CIS storage when the kernel is locked down acpi: Disable ACPI table override if the kernel is locked down acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down ACPI: Limit access to custom_method when the kernel is locked down x86/msr: Restrict MSR access when the kernel is locked down x86: Lock down IO port access when the kernel is locked down ...	2019-09-28 08:14:15 -07:00
Linus Torvalds	f1f2f614d5	Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity updates from Mimi Zohar: "The major feature in this time is IMA support for measuring and appraising appended file signatures. In addition are a couple of bug fixes and code cleanup to use struct_size(). In addition to the PE/COFF and IMA xattr signatures, the kexec kernel image may be signed with an appended signature, using the same scripts/sign-file tool that is used to sign kernel modules. Similarly, the initramfs may contain an appended signature. This contained a lot of refactoring of the existing appended signature verification code, so that IMA could retain the existing framework of calculating the file hash once, storing it in the IMA measurement list and extending the TPM, verifying the file's integrity based on a file hash or signature (eg. xattrs), and adding an audit record containing the file hash, all based on policy. (The IMA support for appended signatures patch set was posted and reviewed 11 times.) The support for appended signature paves the way for adding other signature verification methods, such as fs-verity, based on a single system-wide policy. The file hash used for verifying the signature and the signature, itself, can be included in the IMA measurement list" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: ima_api: Use struct_size() in kzalloc() ima: use struct_size() in kzalloc() sefltest/ima: support appended signatures (modsig) ima: Fix use after free in ima_read_modsig() MODSIGN: make new include file self contained ima: fix freeing ongoing ahash_request ima: always return negative code for error ima: Store the measurement again when appraising a modsig ima: Define ima-modsig template ima: Collect modsig ima: Implement support for module-style appended signatures ima: Factor xattr_verify() out of ima_appraise_measurement() ima: Add modsig appraise_type option for module-style appended signatures integrity: Select CONFIG_KEYS instead of depending on it PKCS#7: Introduce pkcs7_get_digest() PKCS#7: Refactor verify_pkcs7_signature() MODSIGN: Export module signature definitions ima: initialize the "template" field with the default template	2019-09-27 19:37:27 -07:00
Roberto Sassu	9f75c82246	KEYS: trusted: correctly initialize digests and fix locking issue Commit `0b6cf6b97b` ("tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()") modifies tpm_pcr_extend() to accept a digest for each PCR bank. After modification, tpm_pcr_extend() expects that digests are passed in the same order as the algorithms set in chip->allocated_banks. This patch fixes two issues introduced in the last iterations of the patch set: missing initialization of the TPM algorithm ID in the tpm_digest structures passed to tpm_pcr_extend() by the trusted key module, and unreleased locks in the TPM driver due to returning from tpm_pcr_extend() without calling tpm_put_ops(). Cc: stable@vger.kernel.org Fixes: `0b6cf6b97b` ("tpm: pass an array of tpm_extend_digest structures to tpm_pcr_extend()") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Suggested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>	2019-09-25 02:43:53 +03:00
Linus Torvalds	e94f8ccde4	I have four patches for v5.4. Nothing is major. All but one are in response to mechanically detected potential issues. The remaining patch cleans up kernel-doc notations. -----BEGIN PGP SIGNATURE----- iQJLBAABCAA1FiEEC+9tH1YyUwIQzUIeOKUVfIxDyBEFAl2JI5wXHGNhc2V5QHNj aGF1Zmxlci1jYS5jb20ACgkQOKUVfIxDyBEOJQ/5AXdQTd09LMp9jB54u9Usdm71 +kyJ/KudEja8/pCDDNboiXSfoagRqJ8AbuBAbGLtWLXc3smUcL1mncdfJDJAk88J mbIB+qWMls5fC25udD+B2bF2py+eyVJ7dsnvHZg1mS5KUxYBMWVEqgX9zW0EFgNH xd2/nB314GhULrfqagxxCd/HpbZ3GV1sM+BkfRPx2zm3gJ8xAuXm1xMMgchP9WqH MFJDqk8r1wXCog8OkjQjAYR8zGRJTrP9W6UY9p1L6rp9rtfyPObBuAMLKv3WlXx8 Jz7idqSDNa49V7W3UrWcjXCunbjyPR7HszuuxhTC+EmB1MRU4IdX9I6ZdAaTuxEM jFNwSSjIWRgXkJfLxrDX1ukFPU0JCd8ms7Lzw5YHq2TWt/V/7h4jyUCN8o9BN80r 7WzqdzT4v+Exc6TpqlpkHiQjJFL4ByEzNt3xNVZ3UFIyxnogVi45kL/78PsqDk/j XWqM9bED8dBjM/K3EGqzj0mPCtILLnTm9ZyDvFF75jabf4rk0E354yGcuamoF+eM UTT+3NTPQB/kI5i9av8ibGezInVVRQeHuI1/qIaD/Hsr8K7VJbqlB1k/rUxUZaSy 6g9e0mU2GLgM+eW0EKW0GWpV6/STqzskxu2TW46tobpOykwH9dNKJHhJzx7nEWJi +5kMcGIvFCha6922/sM= =QV1S -----END PGP SIGNATURE----- Merge tag 'smack-for-5.4-rc1' of git://github.com/cschaufler/smack-next Pull smack updates from Casey Schaufler: "Four patches for v5.4. Nothing is major. All but one are in response to mechanically detected potential issues. The remaining patch cleans up kernel-doc notations" * tag 'smack-for-5.4-rc1' of git://github.com/cschaufler/smack-next: smack: use GFP_NOFS while holding inode_smack::smk_lock security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() smack: fix some kernel-doc notations Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set	2019-09-23 14:25:45 -07:00
Linus Torvalds	1b5fb41544	Merge tag 'safesetid-bugfix-5.4' of git://github.com/micah-morton/linux Pull SafeSetID fix from Micah Morton: "Jann Horn sent some patches to fix some bugs in SafeSetID for 5.3. After he had done his testing there were a couple small code tweaks that went in and caused this bug. From what I can see SafeSetID is broken in 5.3 and crashes the kernel every time during initialization if you try to use it. I came across this bug when backporting Jann's changes for 5.3 to older kernels (4.14 and 4.19). I've tested on a Chrome OS device with those kernels and verified that this change fixes things. It doesn't seem super useful to have this bake in linux-next, since it is completely broken in 5.3 and nobody noticed" * tag 'safesetid-bugfix-5.4' of git://github.com/micah-morton/linux: LSM: SafeSetID: Stop releasing uninitialized ruleset	2019-09-23 11:39:56 -07:00
Linus Torvalds	5825a95fe9	selinux/stable-5.4 PR 20190917 -----BEGIN PGP SIGNATURE----- iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAl2BLvcUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXP9pA/+Ls9sRGZoEipycbgRnwkL9/6yFtn4 UCFGMP0eobrjL82i8uMOa/72Budsp3ZaZRxf36NpbMDPyB9ohp5jf7o1WFTELESv EwxVvOMNwrxO2UbzRv3iywnhdPVJ4gHPa4GWfBHu2EEfhz3/Bv0tPIBdeXAbq4aC R0p+M9X0FFEp9eP4ftwOvFGpbZ8zKo1kwgdvCnqLhHDkyqtapqO/ByCTe1VATERP fyxjYDZNnITmI0plaIxCeeudklOTtVSAL4JPh1rk8rZIkUznZ4EBDHxdKiaz3j9C ZtAthiAA9PfAwf4DZSPHnGsfINxeNBKLD65jZn/PUne/gNJEx4DK041X9HXBNwjv OoArw58LCzxtTNZ//WB4CovRpeSdKvmKv0oh61k8cdQahLeHhzXE1wLQbnnBJLI3 CTsumIp4ZPEOX5r4ogdS3UIQpo3KrZump7VO85yUTRni150JpZR3egYpmcJ0So1A QTPemBhC2CHJVTpycYZ9fVTlPeC4oNwosPmvpB8XeGu3w5JpuNSId+BDR/ZlQAmq xWiIocGL3UMuPuJUrTGChifqBAgzK+gLa7S7RYPEnTCkj6LVQwsuP4gBXf75QTG4 FPwVcoMSDFxUDF0oFqwz4GfJlCxBSzX+BkWUn6jIiXKXBnQjU+1gu6KTwE25mf/j snJznFk25hFYFaM= =n4ht -----END PGP SIGNATURE----- Merge tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: - Add LSM hooks, and SELinux access control hooks, for dnotify, fanotify, and inotify watches. This has been discussed with both the LSM and fs/notify folks and everybody is good with these new hooks. - The LSM stacking changes missed a few calls to current_security() in the SELinux code; we fix those and remove current_security() for good. - Improve our network object labeling cache so that we always return the object's label, even when under memory pressure. Previously we would return an error if we couldn't allocate a new cache entry, now we always return the label even if we can't create a new cache entry for it. - Convert the sidtab atomic_t counter to a normal u32 with READ/WRITE_ONCE() and memory barrier protection. - A few patches to policydb.c to clean things up (remove forward declarations, long lines, bad variable names, etc) * tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: lsm: remove current_security() selinux: fix residual uses of current_security() for the SELinux blob selinux: avoid atomic_t usage in sidtab fanotify, inotify, dnotify, security: add security hook for fs notifications selinux: always return a secid from the network caches if we find one selinux: policydb - rename type_val_to_struct_array selinux: policydb - fix some checkpatch.pl warnings selinux: shuffle around policydb.c to get rid of forward declarations	2019-09-23 11:21:04 -07:00
Micah Morton	21ab8580b3	LSM: SafeSetID: Stop releasing uninitialized ruleset The first time a rule set is configured for SafeSetID, we shouldn't be trying to release the previously configured ruleset, since there isn't one. Currently, the pointer that would point to a previously configured ruleset is uninitialized on first rule set configuration, leading to a crash when we try to call release_ruleset with that pointer. Acked-by: Jann Horn <jannh@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org>	2019-09-17 11:27:05 -07:00
Matthew Garrett	f8a9bc623a	security: constify some arrays in lockdown LSM No reason for these not to be const. Signed-off-by: Matthew Garrett <mjg59@google.com> Suggested-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>	2019-09-10 13:27:38 +01:00
Greg Kroah-Hartman	b7ee32b12f	Linux 5.3-rc8 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl11ZZIeHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGUEYH/3dOHJ00BhSQNL39 KSk1cuVq0UHIGcdOK+qp+3YLzaO6rpKJ7HYuQQ4ddLJwZ8wWGUZ03eDkp689axkb XMMhcbuaQ5AZT017UPPU/9ECqJtKmLHZEm3y4cU2ybFhI76eDD4S07xfC/L5h/xc aWyRRPBQhjZHIdCejg9eSJNMQJycW7l7npMEBeE9qDRmCWxZUHten2jBcL0XpXPw BJ0T7XKFHsbh/RP7K/7GHFxVZXPO8rl8pIlRaX+3bKqgUV721LwR+gyHbFYYntlC 7tfL4KcG9lQvCoUuh1cMtnZuMzc88TGdI5xb7Y1Gq6HtR7LTLLrfpp3nwqst912u xq8iHpw= =WnfD -----END PGP SIGNATURE----- Merge 5.3-rc8 into android-mainline Linux 5.3-rc8 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I2908bd47266c7645d360bbe273bb10ada3cc8e3c	2019-09-09 10:37:39 +01:00
Hillf Danton	d41a3effbb	keys: Fix missing null pointer check in request_key_auth_describe() If a request_key authentication token key gets revoked, there's a window in which request_key_auth_describe() can see it with a NULL payload - but it makes no check for this and something like the following oops may occur: BUG: Kernel NULL pointer dereference at 0x00000038 Faulting instruction address: 0xc0000000004ddf30 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [...] request_key_auth_describe+0x90/0xd0 LR [...] request_key_auth_describe+0x54/0xd0 Call Trace: [...] request_key_auth_describe+0x54/0xd0 (unreliable) [...] proc_keys_show+0x308/0x4c0 [...] seq_read+0x3d0/0x540 [...] proc_reg_read+0x90/0x110 [...] __vfs_read+0x3c/0x70 [...] vfs_read+0xb4/0x1b0 [...] ksys_read+0x7c/0x130 [...] system_call+0x5c/0x70 Fix this by checking for a NULL pointer when describing such a key. Also make the read routine check for a NULL pointer to be on the safe side. [DH: Modified to not take already-held rcu lock and modified to also check in the read routine] Fixes: `04c567d931` ("[PATCH] Keys: Fix race between two instantiators of a key") Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com> Signed-off-by: Hillf Danton <hdanton@sina.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>	2019-09-05 14:19:25 -07:00
Stephen Smalley	169ce0c081	selinux: fix residual uses of current_security() for the SELinux blob We need to use selinux_cred() to fetch the SELinux cred blob instead of directly using current->security or current_security(). There were a couple of lingering uses of current_security() in the SELinux code that were apparently missed during the earlier conversions. IIUC, this would only manifest as a bug if multiple security modules including SELinux are enabled and SELinux is not first in the lsm order. After this change, there appear to be no other users of current_security() in-tree; perhaps we should remove it altogether. Fixes: `bbd3662a83` ("Infrastructure management of the cred security blob") Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>	2019-09-04 18:41:12 -04:00
Eric Biggers	e5bfad3d7a	smack: use GFP_NOFS while holding inode_smack::smk_lock inode_smack::smk_lock is taken during smack_d_instantiate(), which is called during a filesystem transaction when creating a file on ext4. Therefore to avoid a deadlock, all code that takes this lock must use GFP_NOFS, to prevent memory reclaim from waiting for the filesystem transaction to complete. Reported-by: syzbot+0eefc1e06a77d327a056@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>	2019-09-04 09:37:07 -07:00
Jia-Ju Bai	3f4287e7d9	security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() In smack_socket_sock_rcv_skb(), there is an if statement on line 3920 to check whether skb is NULL: if (skb && skb->secmark != 0) This check indicates skb can be NULL in some cases. But on lines 3931 and 3932, skb is used: ad.a.u.net->netif = skb->skb_iif; ipv6_skb_to_auditdata(skb, &ad.a, NULL); Thus, possible null-pointer dereferences may occur when skb is NULL. To fix these possible bugs, an if statement is added to check skb. These bugs are found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>	2019-09-04 09:37:07 -07:00
luanshi	a1a07f2234	smack: fix some kernel-doc notations Fix/add kernel-doc notation and fix typos in security/smack/. Signed-off-by: Liguang Zhang <zhangliguang@linux.alibaba.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>	2019-09-04 09:37:07 -07:00
Jann Horn	3675f052b4	Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set There is a logic bug in the current smack_bprm_set_creds(): If LSM_UNSAFE_PTRACE is set, but the ptrace state is deemed to be acceptable (e.g. because the ptracer detached in the meantime), the other ->unsafe flags aren't checked. As far as I can tell, this means that something like the following could work (but I haven't tested it): - task A: create task B with fork() - task B: set NO_NEW_PRIVS - task B: install a seccomp filter that makes open() return 0 under some conditions - task B: replace fd 0 with a malicious library - task A: attach to task B with PTRACE_ATTACH - task B: execve() a file with an SMACK64EXEC extended attribute - task A: while task B is still in the middle of execve(), exit (which destroys the ptrace relationship) Make sure that if any flags other than LSM_UNSAFE_PTRACE are set in bprm->unsafe, we reject the execve(). Cc: stable@vger.kernel.org Fixes: `5663884caa` ("Smack: unify all ptrace accesses in the smack") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>	2019-09-04 09:36:57 -07:00
Greg Kroah-Hartman	94cc606e3e	Linux 5.3-rc7 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl1tSg4eHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiG018IAJGV7SbXggW/iC+e cSMlo8kPnuU7dKCUW+ngXnZY1xuDYWPhXMX9+yDYf2NfMYGdDGYZ+GRjSFim816w HsNsovnYiyxhkh+wA/DmZPWKdTgYrIxbPRO+MlO5ZfbxWNaLgSjqirz0iBITSv3S r2XLmFw8GVACv/GkNGrWBM53wpkJLHzvwaV9hg6dr8HFDipaEn7vEY9/LAN3S3fw reVwW6Q4N4+RSofM1eIGgAZsTYbYBDfri94mRQZ3y+Q8EkRGkJ270WKA0OAVFYS7 KA6nrjvGSYVtmDK3HORjbINQn3bXwIKeMZHl15c+LGM9ePwoHbsN3+smBswRX+R3 JDQjkhY= =DV37 -----END PGP SIGNATURE----- Merge 5.3-rc7' into android-mainline Linux 5.3-rc7 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Idb7a4bac47aad24a134ab4e98ea40e7bf201895b	2019-09-02 20:29:11 +02:00
Eric Biggers	846d2db3e0	keys: ensure that ->match_free() is called in request_key_and_link() If check_cached_key() returns a non-NULL value, we still need to call key_type::match_free() to undo key_type::match_preparse(). Fixes: `7743c48e54` ("keys: Cache result of request_key*() temporarily in task_struct") Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>	2019-08-30 11:10:55 -07:00
Gustavo A. R. Silva	2a7f0e53da	ima: ima_api: Use struct_size() in kzalloc() One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct ima_template_entry { ... struct ima_field_data template_data[0]; /* template related data / }; instance = kzalloc(sizeof(struct ima_template_entry) + count sizeof(struct ima_field_data), GFP_NOFS); Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: instance = kzalloc(struct_size(instance, entry, count), GFP_NOFS); This code was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2019-08-29 14:23:30 -04:00
Gustavo A. R. Silva	fa5b571753	ima: use struct_size() in kzalloc() One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct foo { int stuff; struct boo entry[]; }; instance = kzalloc(sizeof(struct foo) + count * sizeof(struct boo), GFP_KERNEL); Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL); This code was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2019-08-29 14:23:22 -04:00
Thiago Jung Bauermann	556d971bda	ima: Fix use after free in ima_read_modsig() If we can't parse the PKCS7 in the appended modsig, we will free the modsig structure and then access one of its members to determine the error value. Fixes: `39b0709636` ("ima: Implement support for module-style appended signatures") Reported-by: kbuild test robot <lkp@intel.com> Reported-by: Julia Lawall <julia.lawall@lip6.fr> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Reviewed-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>	2019-08-28 15:01:24 -04:00
Ondrej Mosnacek	116f21bb96	selinux: avoid atomic_t usage in sidtab As noted in Documentation/atomic_t.txt, if we don't need the RMW atomic operations, we should only use READ_ONCE()/WRITE_ONCE() + smp_rmb()/smp_wmb() where necessary (or the combined variants smp_load_acquire()/smp_store_release()). This patch converts the sidtab code to use regular u32 for the counter and reverse lookup cache and use the appropriate operations instead of atomic_get()/atomic_set(). Note that when reading/updating the reverse lookup cache we don't need memory barriers as it doesn't need to be consistent or accurate. We can now also replace some atomic ops with regular loads (when under spinlock) and stores (for conversion target fields that are always accessed under the master table's spinlock). We can now also bump SIDTAB_MAX to U32_MAX as we can use the full u32 range again. Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Jann Horn <jannh@google.com> Signed-off-by: Paul Moore <paul@paul-moore.com>	2019-08-27 13:26:13 -04:00
Greg Kroah-Hartman	a5bd47ef3f	Linux 5.3-rc5 -----BEGIN PGP SIGNATURE----- iQFSBAABCAA8FiEEq68RxlopcLEwq+PEeb4+QwBBGIYFAl1Zw6ceHHRvcnZhbGRz QGxpbnV4LWZvdW5kYXRpb24ub3JnAAoJEHm+PkMAQRiGbiUH/0kqDBzkpne1odxW LeAPtTgmxDbcOE/bgIk374e95mn3EP3arna01BLc5ztwkQ521f4Iw5mKW5InZcyu 3/IvpYeQUcdazphWSu72VnUZ8QfYNh4NJDjAx6iyliQ1NpJF9LLYLWWjlqwGbWHQ USbwp7A+56m1AWWmce2r50DK7jEZShKxRBQrXNXtvn8+YaVMvmdZpT6ejyG52J+4 zr9yYrT9sa5jcPGPnWN/sx03/BPij+yOFKKe8L9vprb3uEmNKPvqtAbUpI0QYw6j T+eZELLxAOsUk84kxQyTLCU/GMesP6hIaE93HlpmgcQkBBzK7H5SBN37r8OJjOeS IXlJX4c= =9Iey -----END PGP SIGNATURE----- Merge 5.3-rc5 into android-mainline Linux 5.3-rc5 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ibfaea1b9aca9f04a59def096f327c2afbd0cb296	2019-08-26 16:43:17 +02:00
Matthew Garrett	b602614a81	lockdown: Print current->comm in restriction messages Print the content of current->comm in messages generated by lockdown to indicate a restriction that was hit. This makes it a bit easier to find out what caused the message. The message now patterned something like: Lockdown: <comm>: <what> is restricted; see man kernel_lockdown.7 Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>	2019-08-19 21:54:17 -07:00
Matthew Garrett	ccbd54ff54	tracefs: Restrict tracefs when the kernel is locked down Tracefs may release more information about the kernel than desirable, so restrict it when the kernel is locked down in confidentiality mode by preventing open(). (Fixed by Ben Hutchings to avoid a null dereference in default_file_open()) Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: James Morris <jmorris@namei.org>	2019-08-19 21:54:17 -07:00
David Howells	5496197f9b	debugfs: Restrict debugfs when the kernel is locked down Disallow opening of debugfs files that might be used to muck around when the kernel is locked down as various drivers give raw access to hardware through debugfs. Given the effort of auditing all 2000 or so files and manually fixing each one as necessary, I've chosen to apply a heuristic instead. The following changes are made: (1) chmod and chown are disallowed on debugfs objects (though the root dir can be modified by mount and remount, but I'm not worried about that). (2) When the kernel is locked down, only files with the following criteria are permitted to be opened: - The file must have mode 00444 - The file must not have ioctl methods - The file must not have mmap (3) When the kernel is locked down, files may only be opened for reading. Normal device interaction should be done through configfs, sysfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. I would actually prefer to lock down all files by default and have the the files unlocked by the creator. This is tricky to manage correctly, though, as there are 19 creation functions and ~1600 call sites (some of them in loops scanning tables). Signed-off-by: David Howells <dhowells@redhat.com> cc: Andy Shevchenko <andy.shevchenko@gmail.com> cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett <mjg59@srcf.ucam.org> cc: Thomas Gleixner <tglx@linutronix.de> Cc: Greg KH <greg@kroah.com> Cc: Rafael J. Wysocki <rafael@kernel.org> Signed-off-by: Matthew Garrett <matthewgarrett@google.com> Signed-off-by: James Morris <jmorris@namei.org>	2019-08-19 21:54:17 -07:00

1 2 3 4 5 ...

4360 Commits